Trading platform Robinhood disclosed late Monday that an “unauthorized party” had stolen the data of over 7 million customers as part of a major data breach.
According to a blog published on Robinhood’s website, the breach, discovered on Nov. 3, allowed the perpetrator to steal the email addresses of around 5 million Robinhood users, and the full names of a further 2 million individuals.
Around 310 individuals had their names, birth dates, and ZIP codes exposed as part of the breach, while 10 customers had “more extensive account details” revealed, according to Robinhood.
Robinhood stressed that no Social Security numbers, bank account numbers or credit card numbers were exposed in the breach, and that no customer had experienced a financial loss as a result.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” Robinhood Chief Security Officer Caleb Sima said in a statement. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
The company has reached out to law enforcement, disclosed the breach in a filing with the Securities and Exchange Commission, and has engaged the services of cybersecurity company Mandiant to help investigate the breach.
“Robinhood quickly contained the security incident and conducted a thorough investigation to assess the impact,” Charles Carmakal, senior vice president and chief technology officer of Mandiant, told The Hill in a statement. “Mandiant has recently observed this threat actor in a limited number of security incidents and we expect they will continue to target and extort other organizations over the next several months.”
The breach comes after a difficult financial year for Robinhood, which was at the center of a trading crisis earlier this year when it shut down buying and selling of GameStop stock after Reddit users drove up the price, leading to criticism from lawmakers and others.
The incident was also made public during a year that has seen a massive increase in cyberattacks, prompting action from the federal government to help stop the tide of attacks.
These have included debilitating attacks on Colonial Pipeline, which led to gas shortages in multiple states, along with ransomware attacks on meat producer JBS USA and IT company Kaseya. More recently, there have been attacks carried out against Sinclair Broadcast Group and the National Rifle Association.